Re: [OAUTH-WG] Token Access Authentication Scheme Draft

First, congrats on the new member of the Eaton family. > -Original Message- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Tuesday, December 08, 2009 10:43 PM > To: Eran Hammer-Lahav > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Token Access Authentication Scheme Draft

Re: [OAUTH-WG] Token Access Authentication Scheme Draft

Thanks Dan. > -Original Message- > From: Dan Winship [mailto:dan.wins...@gmail.com] > Sent: Tuesday, December 08, 2009 11:00 AM > If Token/OAuth is not intended for use with Proxy-Authenticate/Proxy- > Authorization, then you should say that explicitly near the beginning, and if > not, th

Re: [OAUTH-WG] Use Case: Adobe: HTTP based media delivery

Hi Blaine, Here is details on the use case regarding http token authentication based out of media delivery workflow currently being used by Adobe, several major US broadcasting companies, and CDN vendors. We are hoping to use http token authentication to solve some of the major pain points arou

Re: [OAUTH-WG] Comment on draft-hammer-http-token-auth-01

> -Original Message- > From: Manger, James H [mailto:james.h.man...@team.telstra.com] > Sent: Wednesday, February 03, 2010 10:19 PM > To: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > Subject: RE: Comment on draft-hammer-http-token-auth-01 > > > I disagree. Voiding a token to stop suppo

Re: [OAUTH-WG] What are the primary criteria in issuing an authentication challenge?

Just to be clear, I was referring to the case where a client can figure out how to obtain authorization and then authenticate without any pre-configuration. This means giving a discovery flow for each type of authorization option (desktop, mobile, web, etc.) with all the parameters needed for ea

Re: [OAUTH-WG] Comment on draft-hammer-http-token-auth-01

> I disagree. Voiding a token to stop supporting an algorithm is > perfectly reasonable and might not even require user involvement if the > refresh mechanism is (adopted and) used. And if the reason for this is > a broken algorithm, well, I would hope the tokens are voided, not just > used with th

Re: [OAUTH-WG] What are the primary criteria in issuing an authentication challenge?

Au contraire (speaking only for myself). On Wednesday, February 3, 2010, Eran Hammer-Lahav wrote: > It doesn't feel like we have much interest at this level of interoperability > at this point. > > EHL > >> -Original Message- >> From: Manger, James H [mailto:james.h.man...@team.telstra.c

Re: [OAUTH-WG] Comment on draft-hammer-http-token-auth-01

Thanks James. > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Wednesday, February 03, 2010 5:03 PM > To: OAuth WG (oauth@ietf.org) > Subject: [OAUTH-WG] Comment on draft-hammer-http-token-auth-01 > > Comments on dr

Re: [OAUTH-WG] What are the primary criteria in issuing an authentication challenge?

Please consider my position retracted. -- j On Feb 3, 2010, at 8:16 PM, Eran Hammer-Lahav wrote: > You are going too far. I meant the people on this list. That's the only group > that matters. > > EHL > >> -Original Message- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.or

Re: [OAUTH-WG] What are the primary criteria in issuing an authentication challenge?

You are going too far. I meant the people on this list. That's the only group that matters. EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Joseph Anthony Pasquale Holsten > Sent: Wednesday, February 03, 2010 6:12 PM > To: OAuth WG (

Re: [OAUTH-WG] What are the primary criteria in issuing an authentication challenge?

A self fulfilling prophecy. Who isn't interested? Client authors or service providers with an incentive to lock people in? If you work at microsoft or google or yahoo or facebook, you might consider asking people like ping.fm how much they care about interoperability. And maybe ask why the peop

[OAUTH-WG] Comment on draft-hammer-http-token-auth-01

Comments on draft-hammer-http-token-auth-01 (3 Feb 2010) after a quick read. [http://tools.ietf.org/html/draft-hammer-http-token-auth-01] The simple bearer token mode is still buried as an exception to the request signing rules. This just isn’t necessary, it’s awful. Choosing a hash algorit

Re: [OAUTH-WG] Token Access Authentication Scheme Draft

> -Original Message- > From: Manger, James H [mailto:james.h.man...@team.telstra.com] > Sent: Wednesday, February 03, 2010 3:23 PM > To: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > Subject: RE: Token Access Authentication Scheme Draft > > > The reason why it makes little sense to have

Re: [OAUTH-WG] Token Access Authentication Scheme Draft

> The reason why it makes little sense to have different schemes for > different types of tokens is that it is not the protected resource's > job to say which algorithm should be used, but the server when issuing > the token for that resource. The draft did a poor job at separating the > role of th

Re: [OAUTH-WG] proposed agenda for second interim meeting

On 2010-02-03, at 12:01 PM, Peter Saint-Andre wrote: > > > On 2/3/10 12:46 PM, Dick Hardt wrote: > >> Wanting to discuss technical details when there does not seem to be >> consensus on the problem we are solving was my Titanic reference. > > Remember, these interim meetings are > intended t

Re: [OAUTH-WG] proposed agenda for second interim meeting

On 2/3/10 12:46 PM, Dick Hardt wrote: > Wanting to discuss technical details when there does not seem to be > consensus on the problem we are solving was my Titanic reference. We have two dangers here: 1. The Scylla of designing technologies before we fully understand the problem space and its

Re: [OAUTH-WG] proposed agenda for second interim meeting

On 2010-02-03, at 11:21 AM, Eran Hammer-Lahav wrote: >> -Original Message- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Eran Hammer-Lahav >> Sent: Wednesday, February 03, 2010 11:19 AM >> To: Dick Hardt >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] proposed

Re: [OAUTH-WG] proposed agenda for second interim meeting

On 2010-02-03, at 11:19 AM, Eran Hammer-Lahav wrote: > I did not mean my first reply to you to be abrasive or confrontational, > despite being told that my work on the drafts is a waste of time ("moving > around deck chairs on the Titanic"). I and many others appreciate your work. That was not

Re: [OAUTH-WG] proposed agenda for second interim meeting

> -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Wednesday, February 03, 2010 11:19 AM > To: Dick Hardt > Cc: OAuth WG > Subject: Re: [OAUTH-WG] proposed agenda for second interim meeting > > I did not mean my fi

Re: [OAUTH-WG] proposed agenda for second interim meeting

I did not mean my first reply to you to be abrasive or confrontational, despite being told that my work on the drafts is a waste of time ("moving around deck chairs on the Titanic"). I simply disagreed with your view that it is too early to dedicate the next call to technical details. I actually

Re: [OAUTH-WG] proposed agenda for second interim meeting

I recall from the call that Peter did ask if there was consensus on the approach of gathering use cases. There seemed consensus that the WG might not fully understand the problem and that this made sense. I don't see that clearly captured in the minutes, hence me communicating to you what had oc

[OAUTH-WG] UMA use cases (was Re: proposed agenda for second interim meeting)

Sorry for the delay, and thanks for the push. In scrambling to approve a passel of scenarios and produce our webinar last week, we got a bit behind. (By the way, complete recordings are now available. Their quality is not perfect, but should suffice. Please see http://kantarainitiative.org/

Re: [OAUTH-WG] proposed agenda for second interim meeting

I've started a wiki page here: http://trac.tools.ietf.org/wg/oauth/trac/wiki/OauthFeatureMatrix to pull in the features people think are important, and give us both some way of collecting that data over time and expressing what's present or missing from each protocol & proposal. Despite being call

Re: [OAUTH-WG] proposed agenda for second interim meeting

I read the minutes. I don't need to be on the call to present my views on how to proceed. That's not how the IETF operates. I have been expressing my views for the past year, right here on the list. I didn't see any consensus call from the chairs about taking this approach (instead of others).

Re: [OAUTH-WG] proposed agenda for second interim meeting

Eran, Both Tony and I are explaining to you what happened on the call. If you had been on the call, you could have presented your view on how to proceed with the calls. While you may have a different opinion on how to proceed (which I am NOT arguing with), arguing with us on what happened on

Re: [OAUTH-WG] proposed agenda for second interim meeting

Hi Anthony, The problem with this approach is that it hasn't worked (multiple times) before because no one ever wants to do the work of collecting and writing the use cases. What we get instead are short cryptic lists and pointers to edge cases. We have a good grasp on how OAuth 1.0 is used and

Re: [OAUTH-WG] proposed agenda for second interim meeting

I would tend to agree with Dick based upon the last call and where that was heading. I believe that Eve had some use cases to share around UMA -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Wednesday, February 03, 2010

Re: [OAUTH-WG] What are the primary criteria in issuing an authentication challenge?

It doesn't feel like we have much interest at this level of interoperability at this point. EHL > -Original Message- > From: Manger, James H [mailto:james.h.man...@team.telstra.com] > Sent: Wednesday, February 03, 2010 5:38 AM > To: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > Subject:

Re: [OAUTH-WG] proposed agenda for second interim meeting

Has anyone gathered and reviewed use cases? I haven't seen much of that showing up on the list. From my experience, asking people for use cases rarely works, unless someone is willing to do the work and collect them (and so far I haven't heard from such volunteer). I much prefer the process in w

Re: [OAUTH-WG] Token Access Authentication Scheme Draft

Thanks James. Your feedback is a bit late as the draft I am working on how drops the challenge details completely, leaving only the indication that the server supports the Token scheme and using a realm to help the client figure out which token to use (if they have more than one suitable for th

Re: [OAUTH-WG] proposed agenda for second interim meeting

Hi Eran I think it is a little early in our phone discussions to get into technical details. The next step according to the last call was to gather and review use cases. Without rough consensus on what problem we are solving, your points below (which all do need to be discussed at some point) i

Re: [OAUTH-WG] What are the primary criteria in issuing an authentication challenge?

An authentication challenge (WWW-Authenticate header) defined in a spec for an authentication mechanism should be present, but only with details specific to that mechanism (eg list of MAC algorithms). I think there should be a totally separate WWW-Authenticate header specifically saying "a dele

Re: [OAUTH-WG] Token Access Authentication Scheme Draft

Hello OAuthers, I have a couple of comments on the "Token Access Auth" draft. Initial impression (as Eran asked for): Yuck. Now I will try to be a bit more constructive. This authentication draft breaks the existing model of HTTP authentication too much. It puts a bunch of very different mechan

Re: [OAUTH-WG] terminology

Yes, that is quite helpful. Thanks! On 2/3/10 1:30 AM, David Recordon wrote: > Looks > like > http://spreadsheets.google.com/ccc?key=0AjpBrc9X0st3dFBNQUpnZzFJbmFGOTkxZUVNdGdxMmc&hl=en > > is actually publi

Re: [OAUTH-WG] terminology

Looks like http://spreadsheets.google.com/ccc?key=0AjpBrc9X0st3dFBNQUpnZzFJbmFGOTkxZUVNdGdxMmc&hl=enis actually public. On Tue, Feb 2, 2010 at 2:08 PM, Peter Saint-Andre wrote: > On 1/28/10 11:35 PM, David Recordon wrote: > > Hey Peter, > > Luke put together a spreadsheet comparing the terminolog